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We use Dijkstra's programming method to solve the so-called 
McDonald's problem and show how to rigorously introduce file input/ 
output operations in the program. The steps involved are quite simple 
and the paradigm suggested is applicable to the wider class of 
problems that involve sequentially processing file records. For 
these problems, the programs developed using the data structure 
design methodology are generally considered to be the most desir- 
able. We show that Dijkstra's method can yield the same program. 
Unlike other methodologies, it also yields a correctness proof, 
which is extremely valuable in understanding the program and in 
modifying it. 

I. INTRODUCTION 

In this paper, we use Dijkstra's method of simultaneously developing 
a program and a proof of its correctness to solve the so-called Mc- 
Donald's warehouse problem. The problem briefly is to read a card file 
and print an inventory report. Our interest in it stems from the fact 
that it requires sequentially processing the records of a file — a task 
common to a large class of problems. As we solve the problem, we 
illustrate how to rigorously introduce file input/output operations 
within the framework of Dijkstra's method. This aspect of the solution 
is intended to be a paradigm that is applicable to the above-mentioned 
class of problems. 

Our solution serves one other purpose. The McDonald's warehouse 
problem is often used to compare the effectiveness of different pro- 
gramming methodologies in developing programs that sequentially 
process files. As discussed in Ref. 1, the programs developed using the 
data structure design methodology are generally considered to be the 
most desirable. This is primarily because the structure of the resulting 
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program closely reflects the structure of the input data. The program 
developed in this paper is identical to that developed by the data 
structure design methodology, except that the latter has no correctness 
proof associated with it. The proof-related assertions in a program are 
not only helpful in understanding it, but also in systematically modify- 
ing it. 

The solution discussed below is quite simple and regular — as a 
paradigm it can be systematically applied to other similar problems. It 
is obtained in three steps. In Step 1, we develop the program and its 
proof assuming that the records of the file are available in an array. 
This version of the program also uses a few symbols that are related 
to its proof, assuming that their values are readily available. These 
assumptions are made purely for the sake of convenience in developing 
the program and are removed in the next two steps. In Step 2, we (i) 
introduce additional program variables, (ii) modify the assertions to 
reflect the introduction of the new program variables, and (Hi) add 
appropriate statements that make the assertions hold. Thus, we are 
guaranteed that the program remains correct through all the modifi- 
cations. This is done to eliminate from the program text the symbols 
whose values are not readily available. In Step 3, we introduce the file 
operations. This is done by replacing suitably chosen initialization 
statements by openfile and by replacing certain other groups of assign- 
ment statements, by readfile or writefile. 

Section II presents the problem, first informally and then formally. 
This is followed by the three steps of the solution in Section III and by 
a summary in Section IV. 

II. PROBLEM SPECIFICATION 

McDonald's food warehouse receives and distributes food items. 
Each shipment received or distributed is recorded on a punched card 
that contains the name of the item and the change in the quantity of 
the item due to that shipment. The change is recorded as a positive 
integer when items are received and negative otherwise. These cards 
are alphabetically sorted according to item names by another program. 

The problem is to write a program to read the sorted card file and 
print an inventory report. The report should show the net change in 
the inventory of each item transacted and the number of distinct food 
items transacted. At this point, the reader may wish to devise his or 
her own solution and later compare it with the solution derived below. 

The following is a more formal statement of the problem, which is 
used in developing the solution in Section III. 

Assume that the transaction file contains M - 1 cards, and the ith 
card contains two fields, f(i) and q(i), where 1 < i < M - 1, f(i) is a 
positive integer representing the name of the food item on the ith card, 
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and q(i) is an integer representing the change in the quantity of f(i). 
Note that, without any loss of generality, we have assumed f(i)'a to be 
integers instead of identifiers. 

The file has been sorted in the nondescending order of f(i)'s. For the 
sake of discussion, we augment the file with an extra card signifying 
"end of file" (EOF) condition for which f(M) = EOF and q(M) = 0. 
The value EOF is assumed to be greater than all the other f(i)'s to 
maintain the sorted nature of the file. 

Clearly, all the cards of a particular food item are grouped together 
in the file. Let N be the number of distinct food items, that is, the 
number of groups in the augmented file. Let m n be the index of the 
first card of the nth group, where 1 < n < N. That is, 

m\ = 1 

and m„ = min {i : m n -\ <i<M and f(i — 1) < f(i)} for 1 < n < N. 

The m,'s have the following property 

1 = mi < 77i2 • • • < m,N-i < rriN = M. 

Define p n to be the net change in the quantity of the nth food item, 
where 1 < n < N. We do not define Pn, which corresponds to the 
fictitious card used to augment the file. We can express p„ as 

Pn = X Qd) forl<n<AT. 

m n — ,<: "'n+l 

Note thatp„'s are the values to be printed in the report. 

We can now define the goal of the program as: Print N - 1 lines 
such that the nth line contains the name of the nth food item [(i.e., 
/(m„)] and the net change in the quantity of the food item, i.e., p n . 
Then print a line containing N — 1, the number of food items trans- 
acted. Note that iV is the number of groups in the augmented file. 

III. SOLUTION 

In the following, we first develop a program to print the first N — 1 
lines of the report and add the last line later. 

We assume that the reader has at least a cursory knowledge of the 
methodology described in Refs. 1 and 2. See Ref. 3 for a brief tutorial. 

We develop the iterative solution in three steps. In Section 3.1, we 
assume that N is known, and the following are available as arrays: 

f(i) and q(i) for l<i<M, and 

m.i for 1 < i < N. 

In Section 3.2, we remove the above assumptions one by one, as 
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described in Section I. This is done by introducing new program 
variables, etc., while still maintaining program correctness. This cul- 
minates in a program in which N need not be known, and only one 
element each from the arrays f(i) and q(i) appears in the loop. 

In Section 3.3, we identify statements that can be replaced by file 
operations. This substitution is quite mechanical and yields a program 
that sequentially reads the card file and prints the first N - 1 lines of 
the report. The post-assertion of this program is then used to print the 
last line of the report. 

3.1 Step 1 
In the notation of Ref. 1, the result assertion is given by 
Rl: (A i : 1 < i < N : pi has been printed). 

This should be read as follows: for all i such that 1 < i < N, p, has been 
printed. 

The iterative statement will be the main part of the program. Its 
loop invariant PI is obtained by weakening the result assertion Rl, 
that is, replacing the constant N by a variable n. Thus, we have 

PI: (A i : 1 < i < n < N : pt has been printed) 

and (PI An = N)=Rl. 

The first version of the program is as below. 
Solution 1.1 

n := 1; {PI} 
don ^ N-h> 

Increase n under the invariance of P 1 . 
od {PI An = N). 

This program begins with an initialization step that trivially establishes 
PI. The loop increases n and keeps PI invariant; therefore, at the end 
we can assert PI A n = N, which is equivalent to Rl. 
To show termination, choose the termination function 

t = N-n. 

The value of t is initially N - 1, each iteration of the loop reduces it, 
and t > 0. The loop, therefore, must terminate. 
We now add a statement to increment n: 

n := 1; {PI} 
don^iV-* 

Si; {Q} 

n := n + 1 {PI} 
od{Pl An = N). 
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Here, Q is the "weakest precondition such that the execution of 'n := 
7i + 1' will establish PI." It is obtained by replacing all occurrances of 
n in PI by n + 1, and the resulting expression is denoted byPl|« +1 . 
Thus, 

Q = wp("n :=n + 1", PI) = Pl|2 + \ 

where wp(S,P) is the weakest precondition in which execution of S 
will establish P. 

The statement SI, starting execution in state PI, must establish 
Pl|" +l . This can be simply done by computing the value of p n and 
printing it. Thus, SI can be refined as: 

SI: {PI} 

S2; {sum=p n APl} 
print {sum) {Pl|« +1 }, 

where the program variable sum has been introduced. 
We now refine S2. It has the property 

{PI} S2 {P2andPl}, 

where 

R2:sum = p n = S ff(*)« 

m n — ' <m n + \ 

Statement S2 will be an iterative program, and to get its loop invariant 
P2, replace the constant m n +\ by a variable m. Thus, 

P2: sum = £ q{i) 



m„^i<msm„ 



and (P2 Am = m„+i) = R2. 

Using the same technique as before, S2 is refined as 

S2: m := m„; sum := 0; {P2} 
do m ¥< m n +i —> 
S3;{P2|r'} 
m:=m+ 1{P2} 
od {P2 A m = m n +\) . 

Notice that the initializations establish P2 in the beginning and the 
post-assertion is equivalent to R2. Statement S3 must have the prop- 
erty 

{P2}S3{P2|r ] } 

and can be easily shown to be sum := sum + q{m). 

This gives us Solution 1.2, after assembling all the pieces. 
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Solution 1.2 

/I := 1;{P1} 
do n ¥> N-* 

m := m n ; sum := 0; {P2 A m = m„} 

do m ¥* THn+i —* 

sum := sum + q(m); 
m:= m + l{P2} 

od; {P2 A m = m n +i} 

print (sum); 

n:= n + 1{P1 A m — m n } 
od {PI A m = m n A n = N). 

We have added "m = m„" to the assertions where it happens to hold. 
This is indicated in bold and is used in the next section. 

3.2 Step 2 

Solution 1.2 is unsatisfactory since it explicitly uses N, m n , and m„+i, 
which are not available a priori. We modify it in the following to 
eliminate this deficiency. 

These modifications are done by (i) introducing additional program 
variables, (ii) slightly modifying the assertions to reflect the introduc- 
tion of new variables, and (Hi) adding appropriate statements to make 
the assertions hold. Thus, the modified program is guaranteed to be 
correct. We believe that this technique is applicable not just to this 
problem but also to the wider class of problems wherein files are 
processed sequentially or where the initial versions of the programs 
refer to quantities not readily available. 

We make the above-mentioned three changes as follows. In the first 
change, we eliminate the assignment statement m := m n . Note that the 
rest of the outer loop maintains m = m n invariant; so we could add this 
term to the loop invariant PI and eliminate the assignment statement. 
An extra initialization statement, m := 1, would then become necessary 
to establish the new loop-invariant in the beginning. The program is 
still correct. See Solution 2.1 below. 

In the second change, we modify the outer loop guard n¥= N. Since 

(n ¥> N) m [f(m n ) * f(m N )] , 
m.N = M, and 

m = m n 

hold before the outerloop, its guard can be replaced by f(m) ^ f(M). 
This change does not affect any of the assertions. 

In the third change, we modify the inner loop guard, m ¥* m n+i . For 
m n ^m < m„+i, 
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(m ¥> m n+ i) = [f(m) = f(m n )] . 

Therefore, we can use f{m) = f(m n ) as the guard in place ofm^ !fl B +i, 
without disturbing anything else. We now replace f(m n ) by a program 
variable F; the guard becomes f(m) = F. The meaning of the inner 
loop is kept unchanged by requiring F = f(m n ) to be true before the 
inner loop. This requirement is trivially met by adding the assignment 
F:= f( m ) at that point; notice that m = m n is true before the loop, as 
discussed above. 

The above additions appear in bold print in the following program. 

Solution 2.1 

n:= 1; m := 1; {PI A m = m n } 
do f(m) ^ f(M)-» 
sum := 0; F := f(m); {P2 A m = m„ A F = f(m„)} 

do f(m) = F-+ 

sum := sum + q(m); m:= m + 1{P2} 
od; {P2 A m = m n+i } 
print (sum); 

n:= n + 1{P1 A m = m„} 
od {PI A m = m„ A n = N). 

This program, stiU correct, does not explicitely use N or m„; notice 
that f(M) is the special value EOF. They are, however, an integral 
part of the proof and the assertions. The two assignment statements 
involving n could be removed from the program without affecting it. 
But we retain them, as the final value of n is of interest in printing the 
Nth line of the report. 

3.3 Step 3 

Solution 2.1 uses f(m) and q(m) as if they are available as arrays, 
but they are not. We eliminate their use in two steps and introduce file 
operations instead. This technique is useful not only in solving Mc- 
Donald's problem, but in a wider class of problems that involve 
sequential file processing. 

In Step 1, we replace f(m) and q(m) by the variables / and q, 
respectively. This necessitates asserting f=f{m) and q = q(m) before 
the statements where the substitution is made. Just as in the previous 
section, the assertions are made to hold by introducing appropriate 
assignment statements. 

The two above assertions can become false only after a statement 
that modifies m. Therefore, we introduce the assignment statements 
/":= f(m) and q := q(m) after each statement that modifies m. Solution 
2.1 has only two such instances. The program after these modifications 
is as follows. 
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Solution 3.1 

n := 1; m := 0; 

m:=m+l;f:= f(m); q := q(m); {P2 A m = m n A A) 

do/W(M)-» 

sum :=0;F:= f; {P2Am = m n AF = f(m„) A A] 

do f = F-» 

sum := sum + g; 
m := m + 1; 
fvfim); 

q:=q(m){P2AA) 
od; {P2 Am = m n AA) 
print (sum); 

n:= n + 1{P1 Am = m„ A A) 
od{Pl Am = m n An = N}, 

where A is f = f(m) A q = q(m), and the initialization of m has been 
broken up into two statements in the beginning of the program. 

We now introduce the file operations in this program: replace m := 
by openfile; m:=n+l,f:= f(m); q := q(m) by read( f, q); and f(M ) 
by EOF. Also, n equals N at the end of the program, so we can add the 
statement to print n — 1, the number of items transacted. The resulting 
program, without the assertions, is as follows. 

Solution 3.2 

n := 1; openfile; read(f, q); 
do / ¥> EOF^ 

sum := 0; F := /; 
do f = F-> 

sum := sum + q; 
read(f, q) 

od; 

print (sum); 

n := n + 1 
od; 
print (n — 1). 

This solution is identical to that obtained by the data structure 
design technique. It is considered to be a desired solution: its structure 
reflects the problem closely, it does not treat any card specially, it 
neatly handles all the groups one after the other, and it can be modified 
to add special processing at the beginning or at the end of a group.' 3 

IV. SUMMARY 

In this paper, we solved the McDonald's warehouse problem to show 
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how to effectively use Dijkstra's method to develop programs that 
process records in a file sequentially. 

The solution was developed in three steps. We first assumed that 
the records of the file were available in an array, and developed the 
program disregarding the file operations. This program also used 
certain symbols whose values are not readily available. These symbols 
were removed in the next step by introducing additional program 
variables and modifying the program under correctness assertions so 
that the next step could be carried out. Finally, we replaced one 
initialization statement by openfile, and selected groups of statements 
by readfile or writefile. The example discussed in this paper involved 
only reading a file, but the same techniques apply when a file is 
written, too. 

With a proper choice of invariants, the programs thus developed are 
comparable to those obtained by the data structure design, a technique 
that is considered to yield good programs for such problems. 
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